10 imperatives for Internal Audit

Slowly, but surely….internal audit is transforming according to IIA report, but is it fast enough?

The IIA’s recent publication on the 2015 Common Body of Knowledge (CBOK) global survey is entitled “Driving Success in a Changing World: 10 Imperatives for Internal Audit.”

Compared to what similar surveys and reports over the past decade have found, it now shows that the internal audit profession is making substantial progress in making itself relevant to the business overall.

There is still repeated reference to the expectation gap between what stakeholders consider to be of value and what the internal audit function is delivering. But more than half of respondents now state that their activities are fully or mostly aligned with the strategic plan of their business. CAEs also state that they will focus almost as much on strategic business risks (70%) as operational risks (72%). This seems to reflect a fundamental shift away from the more traditional approach of focusing on financial and operational internal controls, outside of the context of the organization’s primary objectives.

The first three “imperatives” in the report refer to anticipating stakeholder needs, developing forward-looking risk management practices and continually advising the board and audit committee. Not so long ago the concept of being so forward-looking would have seemed somewhat idealistic, but not exactly realistic, for many audit teams. Other imperatives refer to supporting business objectives, going beyond the IIA standards and investing in excellence – all clearly good things for the profession.

But it is the seventh imperative that really struck a loud chord for me:

“Enhance audit findings though greater use of data analytics.”

Of course, survey results have been talking about the need for greater use of data analytics for years. But to have it singled out for inclusion among a list of fundamental and big picture audit issues really seems to indicate that the profession accepts that audit data analysis is not just a good practice, but a fundamental and critical requirement. It’s about time!

Before I get too excited though, things are not exactly rosy yet. The report states:

“Internal auditors must continue to improve their data analysis skills and techniques to enhance audit findings. In addition to being able to analyze complete data sets (rather than samples), such technologies enable auditors to improve efficiency and audit data-rich areas in more sophisticated ways. About half of survey respondents say they use data mining or data analytics in fraud identification (49%), to investigate issues raised through risk or control monitoring (47%), and to test entire data populations (47%), with little variation among global regions (Q96). This suggests that a much broader adoption of these techniques is needed.”

OK…I guess we’re not there yet . But somewhere around 50% usage is certainly better than it used to be and the implication of the report suggests the goal needs to be far beyond this.

Continuous auditing (another of my evangelizing topics) also has its own call-out in the report, stating “a little less than half of respondents (44%) report moderate or extensive activity for continuous/real-time auditing.” These numbers are significantly beyond the typical implementation of continuous auditing, which often hovered around the 10-15% mark.

Internal audit is not exactly renowned for being fast moving, which is certainly true compared to some business practices and innovations.

But compared to many traditional professions, the CBOK survey report indicates that audit is continuing to transform itself at a pretty healthy rate.